Responsible Disclosure Policy

Indigov aims to keep its services safe for everyone, and data security is of utmost priority to us. If you are a security researcher and have discovered a security vulnerability in the Indigov’s services, we appreciate your help in disclosing it to us following our Responsible Disclosure Policy. This will ensure the security of our customers, as well as enables us to recognize your efforts.

Any vulnerabilities disclosed to us by this policy will be covered by Safe Harbor—we pledge not to pursue or support any legal action related to your research.

  • During your research please do not spam, conduct a denial of service, or perform any social engineering (including phishing) of our staff
  • Notify us of the vulnerability at security@indigov.com. Please include your evidence as well as steps for reproducing the issue
  • To protect our users, please refrain from sharing information about any potential vulnerability outside of Indigov until remediation is completed

Certain types of issues are considered as known/acceptable risks, and hence not considered vulnerabilities- these include brute force attacks or other denial of service based issues, mobile issues that require a jailbroken device, clickjacking, cookies flags among others.

What to expect after you report a vulnerability

Once you have reported a vulnerability, the following process will kick in:

  • We will investigate and try to reproduce this vulnerability on our own. We may need to contact you during this process
  • We will respond to your email within 48 business hours acknowledging your report
  • We will credit and thank you after vulnerabilities have been fixed (based on our security SLA)
  • Depending on severity, we will publicly disclose reported vulnerabilities that we’ve remedied